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[57] ABSTRACT 

An apparatus and method for distributing crj^to- 
graphic key information is described incorporating a 
quantum channel for conveying dim and reference light 
pulses, a timing channel, a source of coherent light 
pulses, beamsplitters, a random number generator, a 
phase modulator and a memory for recording the phase 
of uansmitted dim light pulses. A cryptographic key 
receiver is described incorporating beam splitters, a 
random number generator, a phase modulator, a detec- 
tor and a memory for recording the phase of received 
dim light pulses. The invention overcomes the problem 
of distributing fresh cryptographic key information 
between t\vo users who share no secret information 
initially, 

10 Claims, 3 Drawing Sheets 
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placed in the signal and idler arms of the apparatus. The 

IP»JTERFEROMETRIC QUANTUM interferometer outputs are viewed by signals So, SI and 

CRYPTOGRAPHIC KEY DISTRIBUTION SYSTEM idler lo, II single-photon counting detectors. 

In quantum cryptography, after the quantum trans- 

BACKGROUND OF THE INVENTION 5 mission has been sent and received, the sender and re- 

1. Field of the Invention reiver exchange further messages through a second 
This invention relates to distributing cryptographic channel, caUed the "public channel"r which may be of 

key information and, more particularly, to constructive any physical form such as an optical, microwave, or 

and destructive interference of light pulses of such low radio channel. These messages, which need not be kept 

intensity that they could not in principle be measured secret from the eavesdropper, allow the legitimate 

rehably by an eavesdropper. sender and receiver to assess the extent of the distur- 

2. Description of the Prior Art bance of the quantum transmission by eavesdropping by 
If two users possess shared random secret informa- another and noise sources such as photomultiplier dark 

tion ("key")» they can achieve, with provable security, current, and, if the disturbance of the quantum transmis- 

the two chief goals of cryptography: 1) making their sion has not been too great, to distill from the sent and 

messages unintelligible to an eavesdropper and 2) distin- received versions of the quantum transmission a smaller 

guishing legitimate messages from forged or altered body of random key information which with high prob- 

ones. A one-time-pad encryption achieves the first goal ability is known to the sender and receiver but to no one 

while Wegman-Carter authentication achieves the sec- else. 

ond goal. Unfortunately, both one-time-pad encryption 20 prevent an impersonation attack, the public chan- 

and Wegman-Carter authentication consume key infor- nel messages must be authenticated or otherwise pro- 

mation and render it unfit for reuse. Therefore, some tected against alternation or substitution, but they need 

means of distributing fresh key information is needed in ^Qt be kept secret. It should be emphasized that in quan- 

order for two users to achieve provable security that ^um cryptography, no effort need be made to guard the 

their messages are unintelligible to an eavesdropper. 25 q^,3JJt^Jn channel against passive or active wiretapping, 

One way of distributing fresh key information is by because even if an eavesdropper did tap into it, the 

carrying a material storage medium such as magnetic eavesdropper could not gain significant information 

tape, containing a copy of the fresh key, from one user ^^^^^ ^ ^-^^^^ introducing so much disturbance 

to the other. Such a key is good only between the two quantum transmission as to be detected. In the 

users who have copies of it, and its secunty depends on 30 ^^^^^^i^^^j described in the publication by Bennett et 

Its havmg been contmually protected from "jspection ^^^^ ^ ^^^^^^^ ^ polarization 

not only dunng its transport from one user to the other, ^^^^ ^^^^ ^ ^^^^^ ,^ 

but dunng the entire Ume from its generation until Us the quantum channel, the polarization sute of a 

destruction after the users have used to encrypt or au- . , .7 . i • «- * j u i. • t j 

thenticate a particular message and no longer need it. 35 smgle dim light pulse is affected by the mechanical and 

The logistic problems of key distribution and storage thermal fluctuations m the fiber environment which 

are so great that many applications, such as secure tele- causes the output polanzation of a long fiber to wander 

phones, instead use purely mathematical techniques by unpredictably. 

which two users, who may not have anticipated their SUMMARY OF THE INVENTION 

need to communicate secretly, can nevertheless agree 40 . , , 

over an insecure telephone line on a "session key" In accordance with the present invention, an appara- 

which they use to encrypt the ensuing conversation and tus and method is described for sendmg messages umn- 

then destroy. Unfortunately, all such mathematical telligible to an eavesdropper compnsmg a plurality of n 

techniques for key agreement over an unprotected commumcation nodes, each havmg a first, second and 
channel rest on unproven assumptions such as the diffi- 45 third port, a first quantum channel for conveying dim 

culty of factoring large numbers. and reference light pulses connected to the first port of 

In a publication by C. H. Bennet and G. Brassard the plurality of communication nodes, a second timing 

entitled "Quantum Public Key Distribution System", channel for conveying timing signals connected to the 

IBM Technical Disclosure Bulletin, 28, 3153 (1985), faint second pon of the plurality of communication nodes, a 
pulsesofpolarizedlightareused to distribute key infor- 50 third message channel for conveying information se- 

mation via a low-attenuating (10-20 dB), non-depolariz- lected from the group consisting of plain text and en- 

ing optical channel, called the "quantum channel". By crypted text connected to the third port of the plurality 

utilizing the "quantum channel", two users can agree on of communication nodes, at least one of the communica- 

a secret key in an impromptu manner, just before it is tion nodes including a first source of coherent light 
needed, but with provable security based on the uncer- 55 pulses and one or more beamsplitters for sending a plu- 

tainty principle of quantum physics. To do so, the users rality of dim light pulses of coherent hght of an intensity 

may not exchange any material medium, but they do less than one expected photon per dim pulse spaced 

require a communication channel of a particular physi- apart in time over the first quantum channel, a second 

cal form, whose transmissions, owing to the uncertainty source of coherent light pulses for sending a plurality of 
principle, cannot be eavesdropped on without distur- 60 reference light pulses of coherent light positioned in 

bance. time with respect to the plurality of dim light pulses 

In a publication by A. K., Ekert et al., entitled "Prac- over the first quantum channel, a random number gen- 

tical Quantum Cryptography Based on Two-Photon erator for generating random numbers, a phase modula- 

Interferometry", Phys. Rev. Lett., 69, 1293 (1992), a tion coupled to the first source of coherent light pulses 
short- wavelength laser illuminates a suitably cut non- 65 and one or more beamsplitter and to the random num- 

iinear crystal. Apertures A5 and A/ select photon pair ber generator for setting the phase of the plurality of 

beams which are launched into single-mode fibers by dim light pulses, the phase of each dim light pulse 

lenses L. Identical Mach-Zehnder interferometers are chosen randomly from a plurality of predetermined 
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values in response to the random numbers, a first mem- sending messages unintelligible to an eavesdropper, 

ory for recording the phases of the plurality of dim light Secure communication network 10 includes communi- 

pulscs sent over the first quantum channel as a function cation nodes 12-17, each having a first, second and third 

of time, a first circuit for sending timing signals over the port. The first port of communication nodes 12-17 are 

second timing channel, and a second circuit for sending 5 coupled to quantum channel 18. Quantum chamiel 18 

and receiving information over the third message chan- functions to convey dim and reference light pulses from 

ncl, at least another one of the communication nodes one communication node to all the other communica- 

including one or more beamsplitters and a phoiodetec- tion nodes. Quantum channel 18 may be, for example, 

tor connected to the first quantum chamiel for receiving an optical channel comprising a single mode fiber. By 

and detecting at least some of the dim light pulses and 10 conveying dim and reference light pulses down an opti- 

their respective phase relative to the phase of respective cal fiber, mechanical and thermal fluctuations in the 

ones of the plurality of reference pulses as a function of fiber environment on each dim light pulse is largely 

time, a second memory for recording the phases of the cancelled by a compensating effect on the accompany- 

plurality of dim light pulses received as a function of ing reference light pulse. Because of the dim light pulse 

time, and a third circuit for sending and receiving infor- 15 tolerance for attenuating and environmental fluctua- 

mation over the third message channel. tions, the quantum channel is suitable for use in a pas- 

The invention further provides an apparatus and sive tree-connected multi-user fiber optic network in- 

method for distributing cryptographic key infonnation volving several splitters and outdoor links between a 

from a first communication node to a second communi- typical pair of users. It is merely necessary that total 

cation node comprising a first quantum channel for 20 losses between sender and receiver be small enough that 

conveying dim and reference light pulses connected the the wgnal pulses, having approximately i expected pho- 

first and second communication nodes, a second timing ton intensity at the sending end, still yielding a counting 

channel for conveying timing signals connected to the rate well above the photodetector dark count rate at the 

first and second communication nodes, the first commu- receiving end. It is not necessary for security purposes 

nication node including a first source of coherent light 25 to isolate the sender and the receiver from the rest of the 

pulses and one or more beamsplitters for sending a plu- communication nodes in secure communication net- 

rality of dim light pulses of coherent light of an intensity work 10. As will be explained subsequently, if other 

less than one expected photon per dim light pulse communication nodes than the sender and the receiver 

spaced apart in time over the first quantum channel, a attempt to listen in on a key-distributing communica- 

second source of coherent light pulses for sending a 30 tion, the other communication nodes will be in no better 

plurality of reference light pulses positioned in time position than outside eavesdropper, and will not be able 

with respect to the plurality of dim light pulses over the to gain significant information about the key agreed on 

first quantum channel, a random number generator for between a sender and a receiver, for example, where the 

generating random numbers, a phase modulator cou- sender is communication node 12 and the receiver is 

pled to the first source of light pulses and one or more 35 communication node 17. 

beamsplitters and to the random number generator for A second port of communication nodes 12-17 is cou- 

setting the phase of the plurality of dim light pulses, the pled to timing channel 20. Timing channel 20 functions 

phase of each dim light pulse chosen randomly from a to convey timing signals from a sender which may be, 

plurality of predetermined values in response to the for example, communication node 12 to the other com- 

random numbers, a first memory for recording the 40 munication nodes, for example, 13-17. Timing channel 

phase of the dim light pulses , as a function of time, and 20 may be, for example, an optical fiber, and more par- 

a first circuit for generating and sending a plurality of ticularly, a single mode fiber, 

timing signals over the second timing channel, the sec- A third port of communication nodes 12-17 is cou- 
ond communication node including one or more beam- pled to a message channel 22. Message channel 22 func- 
splitters and a photodetector connected to the first 45 tions to convey information from the sender to an in- 
quantum channel for detecting at least some of the dim tended receiver and from the receiver to the intended 
light pulses and their respective phase relative to re- sender in plain text as well as encrypted text after a key 
spective one of the plurality of reference pulses as a has been agreed upon or distributed between the two. 
function of time, and a second memory of recording the FIG, 2 is one embodiment of communication node 12 
phases of the plurality of dim light pulses as a function 50 shown in FIG. 1. In FIG. 2, like references are used for 
of time. functions corresponding to the apparatus of FIG. 1. 

^^^^,.,«^,^vr ^TTT" rx« * «,,vT^o Pulsed light source 28 functions to provide a coherent 

BRIEF DESCRIPTION OF THE DRAWINGS jjgj^^ ^^^^ ^ ^^^^^^ frequency through beamsplitter 

These and other features, objects, and advantages of 30, variable attenuator 32, beamsplitter 34, phase modu- 
the present invention will become apparent upon a con- 55 lator 36, beamsplitter 38 into quantum channel 18. Con- 
sideration of the following detailed description of the troller 40 provides a control signal over lead 41 to 
invention when read in conjunction with the drawing, pulsed light source 28 to generate a respective pulse, 
in which: Controller 40 provides a control signal over lead 42 to 

FIG. 1 is one embodiment of the invention, a control input of variable attenuator 32. Variable atten- 

FIG. 2 is one embodiment of a communication node 60 uator 32 is generally set to one value during the distribu- 

shown in FIG, 1 containing a key generator. tion of cryptographic key information. Variable attenu- 

FIG. 3 is a second embodiment of a communication ator 32 is set to a second value which is normally for less 

node shown in FIG. 1 containing a key receiver. attenuation during calibration of a key receiver. During 

r^T.c>^nTn-T-Ti-.xT r^r^ t-utt no rrrrcD d t:t^ Calibration, thc intensity of the dim light pulse must be 

DESCRIPTION DF ^5 increased so that it may be reliably received at the key 

EMBODIMENT receiver. Beamsplitter 30 functions to divert or reflect a 

Referring now to the drawing, FIG. 1 shows a block part of the light pulse generated by pulse light source 28 

diagram of a secure communication network 10 for into timing channel 20 which may be, for example, a 
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single mode fiber similar to that used for the quantum 
channel 18. Beamsplitters 34 and 38 have a reflection/- 
transmission ratio R which is greater than 1 causing the 
reflected light pulse to be greater in intensity than the 
light pulse passing forward into phase modulator 36. 
Phase modulator 36 functions to introduce or set the 
phase of a coherent light pulse from pulsed light source 
38. The phase shift is chosen randomly from a fixed set 
of possible values, for example, two values 0" or 180', or 
the four values 0% 90% 180' and 260". Controller 40 
provides a control signal over lead 43 to phase modula- 
tor 36 to set the phase of the coherent light pulse passing 
through phase modulator 36. 

Random number generator 46 is coupled over lead 47 
to an input of controller 40. Random number generator 
46 functions to create true random number which may 
be used by controller 40 to set the phase of the plurality 
of light pulses passing through phase modulator 36 
wherein the phase of each of the light pulses is chosen 
randomly from a plurality of predetermined values in 
response to the random numbers from random number 
generator 46. 

Controller 40 is connected to memory 50 by way of 
lead 51. Memory 50 functions to record the phase set in 
the light pulses passing through phase modulator 36 as 
a function of time. Controller 40 also functions to send 
and receive information or messages over message 
channel 22, 



In FIG. 2, random number generator 46, controller 
40 and phase modulator 36 function as a key generator 
with respect to light pulses emitted by pulsed light 
source 28 which is attenuated as it passes through beam- 
splitters 30, 34 and 38. 

Referring to FIG. 3. a block diagram is shown of 
communication node 17 which functions as a key re- 
ceiver to receive cryptographic key information from 
conmiunication node 12. In FIG. 3» like references are 
used for functions corresponding to the apparatus of 
FIGS. 1 and 2. Nodes 13-16 may incorporate the em- 
bodiment of node 12 if communications nodes 13-16 are 
to be able to communicate with communication node 
17. Alternately, communication nodes 13-16 may have 
an embodiment similar to communication node 17 as 
shown in FIG. 3 if communication nodes 13-16 are to 
be able to communicate with communication node 12. 
The apparatus of communication nodes 12 and 17 may 
be combined to form a universal node having the capa- 
20 bility to distribute key information with any other com- 
munication nodes and to receive key information dis- 
tributed from any other communication node. 

Referring to FIG. 3, light pulses on timing channel 20 
are detected by photodiode 60 which functions to con- 
vert the optical timing signal into electronic form which 
is coupled over lead 61 to an input of controller-dis- 
criminator 64. The corresponding dim light pulse from 
quantum channel 18 passes into beamsplitter 66 with a 



10 



15 



25 



t** n . r.i- ■ J .1 v splitting ratio R equal to that of beamsplitters 34 and 38 

Beaimphtter 34 ren^ 30 shown m FIG. 2. Beamsplitter 66 functions to split the 



pulse. The reflected light pulse off beamsplitter 34 is 
delayed by a fixed amount by mirrors 52 and 53 and 
recombined with the signal beam (dim light pulse) by 
beamsplitter 38. Together, beamsplitter 34, phase modu- 
lator 36, mirror 52, mirror 53, and beamsplitter 38 con- 35 
stitute the "senders half-interferometer" and operates to 
create pulsed pairs, a single pulse followed by a refer- 
ence pulse, with a fixed time delay and relative phase 
chosen by the sender. As each pulsed pair is sent, its 
phase shift is recorded by memory 50 for use in subse- 
quent steps of the key-distribution protocol. The pulsed 
duration should be comparable to the resolving time of 
the detector shown in FIG. 3 of the key receiver and 
the time delay should be enough larger to allow the 
signal (dim light pulse) and reference light pulses to be 45 
cleanly separated after passage through quantum chan- 
nel 18. If quantum channel 18 is a single mode fiber of 
several kn length, a few nanoseconds should be suffi- 
cient. Variable attenuator 32 is set, and the splitting 



incoming dim light pulse into a delayed reflected part 
and an undelayed transmitted part. The transmitted part 
passes through phase modulator 68 which applied a 
random phase shift $ and a fixed phase shift 4>. Random 
phase shift 6 is chosen from a fixed set of possible values 
which may be the same as the set of possible values used 
by the sender, communication node 12. Random num- 
ber generator 70 functions to generate random numbers 
which are coupled over lead 71 to an input of controll- 
40 er-discriminator 64. A phase value is chosen randomly 
from a plurality of predetermined values in response to 
the random numbers on lead 71 is coupled over lead 72 
to a control input of phase modulator 68. Calibration 
circuit 74 provides a constant phase shift ^ signal over 
lead 75 which may be, for example, an adjustable DC 
offset. 

The reflected beam from beamsplitter 66 is delayed 
by mirrors 78 and 79 and recombine with the transmit- 
ted beam by beamsplitter 80 of the same splitting ratio R 



ratio R of beamsplitters 34 and 38 are chosen so that the 50 as beamsplitter 66. Beamsplitter 66, phase modulator 68, 



dim light pulse has an intensity m of less than 1 expected 
photons per pulse and the reference pulses have an 
intensity M equal to mR^ photons. The reference pulse 
intensity M is made sufficiently large that the reference- 
like pulses after passage through quantum channel 18 55 
are still bright enough to be reliably detected at the key 
receiver shown in FIG. 3. The dim light pulses, of 
course, are so dim that most of the time they could not 
be detected even by a perfectly efficient detector lo- 
cated at the sending end of quantum channel 18. 60 

Quantum channel 18 should have low dispersion and 
low attenuation, for example in the range from 0 to 20 
dB, since the effective range of the system is the dis- 
tance beyond which the dim light pulse are so attenu- 
ated and/or time-broadened that their intensity ap- 65 
proaches the dark current equivalent noise input of the 
detector used at the receiving end of quantum channel 
18. 



mirror 78, mirror 79 and beamsplitter 80 comprise the 
"receiver's half-interferometer," which is identical to 
the sender's half-interferometer except for the adjust- 
able constant phase offset 4). One of the two beams 
leaving beamsplitter 80 is discarded shown by arrow 81. 
The other beam consisting of the superposition of the 
reflected part of the previously reflected beam from 
beamsplitter 66 and the transmitted part of the previ- 
ously transmitted beam through beamsplitter 66 passes 
into a fast but sensitive photodetector 84, capable of 
detecting single photons with a time resolution smaller 
than the delay between signal (dim light pulses and 
reference pulses). Photodetector 84 may be, for exam- 
ple, an avalanche photodiode cooled to —20* C. Photo- 
detector 84 may be, for example, a photomultiplier tube 
such as a microchannel plate photomultiplier tube. Suit- 
able photodetectors 84 are available from suppliers such 
as EG & G. 
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The signal received by photodeicctor 84 consists of to the once-delayed pulse used for nulling. If this twicc- 

threc parts separated in time: an undelaycd pulse (de- delayed pulse is too bright for the photodeteclor 84, the 

noted SS) which has Uken the short path through both photodetector 84 can be protected by an external shut- 

the senders and the receivers half interferometers; a ter or internally gated ofTduring the time the too-bright 

once-delayed pulse (SL+LS) which is the supcrposi- 5 pulse is expected. 

tion of the beam phase-modulated by the sender and The intensity of the SL and LS pulses is deliberately 
delayed by the receiver with that delayed by the sender made of very low in the range from 0.05 to one ex- 
and phase-modulated by the receiver; and finally a pected photon such as, for example, i expected photon 
twice-delayed pulse (LL), which has taken the long so that even a photodetector of 100% quantum efTi- 
path through both the senders and the receiven half- 10 ciency would fail to detect a significant fraction of con- 
interferometers. It is understood that the senders half- structivcly-intcrfcring pulsed pairs. This is done to en- 
inierferomcter is shown in FIG. 2 while the receivers sure that an eavesdropper even if the eavesdropper had 
half-interferometer is shown in FIG. 3. perfectly efllcicnt detectors, could still not gain com- 

Any counts in photodetector 84 produced by the plcte information about the phase shifts set by the 
undelayed SS pulse are discarded by the controller-dis- 15 sender. The intended receiver, communication node 17, 
criminator 64. The once-delayed SL-t-LS pulse con- also cannot determine all the phase shifts set by the 
tains the important data, i.e. the phase shifts set by the sender, conununication node 12, but goes ahead any- 
sender and receiver. If these differ by 0', constructive way, recording those instances in which communica- 
interference occurs and a count may be registered by tion node 17 receives a count. Barring dark counts and 
the detector. If the phase shift set by the sender and 20 other noise sources, these "successful measurements'* 
receiver differ by 180% the interference will be destruc- will confirm that for that particular time slot, the two 
tive, and no count will be registered by photodetector randomly chosen phase shifts were not such as to pro- 
84 except perhaps a count due to dark current or to duce destructive interference. In the renudning "unsuc- 
imperfect cancellation of the interfering light beams. cessful measurements," i.e. time slots where no count is 
Other phase differences such as 90* will yield a lesser 25 registered, communication node 17 will not know 
probability of detecting a count from photodetector 84. whether the absence of a count is due to the destructive 
The controller-discriminator 64 appends any count interference, or to constructive interference foUowed 
resulting from the once-delayed SL+LS pulse, along by failure to detect a photon. If communication node 17 
with the random phase shift part $ of the receivers and conununication node 12 each use only the phase 
phase shift, to memory 86 which is coupled over lead 87 30 shift values 0* and 180", then communication node I2*s 
to controller-discriminator 64. The phase shift data in receipt of photon will, barring noise, reveal what corn- 
memory 86 will be used, along with the senders record munication node 12's phase shift was for that time slot, 
of phase shifts in memory 50 in subsequent steps of the If a larger set of phase-shift values, such as 0% 90% 180*, 
key-distribution protocol. Memory 86 may store or and 270" is used, then a circumspect public discussion 
record the phase shifts set by phase modulator 68 as a 35 allows communication node 12 and conununication 
function of time. node 17 to eliminate from their date cases of partially 

The twice-delayed LL pulse is brighter by a factor constructed interference, for example, where the total 

approximately R^than the SL+LS pulse. Although the phase shift is 90' or 270", so that, again barring noise, 

LL pulse contains no phase information, it is still valu- there remaining data will consist of instances in which 

able because its arrival, at the correct time and with the 40 receipt of a photon reveals to communication node 17 

correct intensity, can be monitored by the photodetec- what communication node 12*s phase shift was. 

tor 84 to guard against a type of active eavesdropping Controller-discriminator 64 includes circuitry for 

"selective pulse suppression'*. The receivers controller- sending and receiving information over message chan- 

discriminator 64 therefore notes the arrival time and nel 22. 

approximate intensity of each LL pulse, and stores this 45 An imporunt design consideration is the choice of 

information in memory 86. The output of photodetector photodetector 84. Ideally, photodetector 84 should be 

84 is coupled over lead 85 to an input of controller-dis- able to count single photons with high quantum cffi- 

criminator 64. Controller-discriminator 64 couples a ciency, low dark count, and fast time resolution. In 

control signal over lead 88 to calibration circuit 74. An communication node 17, it is necessary to count both 

ancillary part of communication node 17 is calibration 50 the signal (SL+LS) and reference signal (LL) pulsed 

circuit 74 which is used when necessary to null the from each event, photodetector 84 should also have 

receivers half-interferometer, by adjusting its DC offset negligible dead time and moderate dynamic range, 

so that pulsed pairs with 0* total AC phase shift from being able to monitor the intensity of the relative bright 

sender and receiver result in maximal, and pulsed pairs pulses while still efficiently counting single photons in 

with 1 80* total AC phase shifts result in minimal inten- 55 the signal pulses. 

sity at photodetector 84. The periodic nulling by cali- MicroChannel plate photomultipler tubes approxi- 
bration circuit 74 will typically be necessary because of mate many of these requirements, but at the infrared 
thermal and mechanical variations in the optical path wavelengths most suitable for fiber optic communica- 
lengths of the two half-interferometers shown in FIGS. tion, their quantum efficiency is poor compared to that 
2 and 3 and it is best done using special nulling pulsed 60 of avalanche photodiodes, which in turn have poor 
pairs with pre-arranged phase shifts and the same inten- dead -time and dynamic-range performance. This limita- 
sity ratio, but higher absolute intensity, than the pulsed tion can be overcome by replacing photodetector 84 by 
pairs used for cryptographic key data transmission. The a dual detector assembly, in which an unsymmetric 
variable attenuator 32 shown in FIG. 2 gives the sender beam splitter would route most of the incoming light 
the capacity to produce these brighter pulsed pairs 65 intensity into a high efficiency single-photon detector 
when needed. When these nulling pulsed pairs pass for the signal pulses, while sending the rest to a lower- 
through the receivers half-interferometer, they will efficiency proportional detector which would thus be 
produce a rather bright twice-delayed pulse in addition able to monitor the reference pulses even if they arrive 
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during the dead time following detection of a signal communication node 17 if the eavesdropper succeeds, 

pulse by the more efficient detector. and suppressing both pulses if the eavesdropper fails. 

Other construction options include the choice be- This attack planned clandestinely biases the distribution 
tween bulk optic and Hber optic components in between of pulses reaching communication node 17 in favor of 
polarization-insensitive and polarization-sensitive com- 5 ones that the eavesdropper can successfully measure; to 
ponents. For quantum channel 18, optical fiber (low defend against the attack, conmaunication node 12 must 
cost, compact size, and flexibility) will generally out- make its original pulses so dim m^T where T is the 
weigh those of an unguided light beam (freedom from transmission coefficient of the quantum channel 18, that 
birefringence and attenuation). It should be recalled the fraction raV2 that can be split at the upstream end of 
that quantum cryptographic signals cannot be amplified 10 the quantum channel is smaller than the expected rate of 
in transit, since a repeater would disturb a signal in the arrival mT of photons at the downstream end. Together 
same way as an eavesdropper. Therefore, attenuation is with the requirement that the rate of arrival of photons 
probably the most serious limitation in an optic fiber at the downstream end significantly exceed the dark 
implementation of quantum channel 18. Either polariza- count rate, this limits the earlier invention to channel 
tion-maintaining or ordinarily single-mode fiber could 15 w hose transmission coefficients significantly exceeds 
be used in quantum channel 18. For the half-interferom- V(d/Q), where d and Q denote respectively, the dark 
eters, one could use a polarization-degenerate design if count rate (per time slot) and the quantum efficiency of 
sufficient polarization and sensitive components, for photodetector 84. By contrast, the present invention, in 
example, beamsplitters, phase modulators, were avail- its unsymmetric beamsplitter version where both signal 
able. Alternatively, one could use a non-degenerate 20 and reference pulses are measured by communication 
design in which the senders half-interferometer would node 17, prevents the attack, as described below. This 
produce output pulsed-pairs of fixed polarization, and allows a constant intensity m (optimally about i ex- 
the receivers half-interferometer would analyze only pected photon) to be used at the upstream end regard- 
the same polarization component. If a non-polarization- less of T, with a consequence that the minimum trans- 
maintaining fiber were used in the channel, the channel 25 mission coefficient T t hat can be accommodated scales 
output polarization woiild drift randomly due to envi- as d/Q rather than as V(d/Q). In the present invention, 
ronmental fluctuations. This could be handled by using a comparable attempt by an eavesdropper to use an 
a polarization-degenerate design at the receiving end, or unsymmetric measurement scheme such as communica- 
by measuring only one polarization component which tion node 17*s yielding successes and failures, and then 
would reduce the data rate by two. 30 to bias the distribution of pulsed pairs reaching commu- 

A symmetric beamsplitter version of the present in- nication node 17 in favor of ones the eavesdropper was 

vention would have R equal to I for beamsplitters 34 able to measure successfully, is frustrated by the pres- 

and 38 shown in FIG. 2 and beamsplitters 66 and 80 ence of the bright reference light pulses which cannot 

shown in FIG. 3. In the symmetric beamsplitter version, be suppressed clandestinely because they are so bright 

there is an advantage of not requiring active polariza- 35 that their presence at the expected time can be detected 

tion control to combat environmental laundering of the unambiguously by communication node 17. If the 

polarization in the long optic fiber. The data rate of the eavesdropper goes ahead anyway and suppresses a sig- 

symmetric version could be increased two-fold by using nal pulse (dim light pulse) without suppressing the cor- 

a symmetric detector configuration, with a second de- responding reference pulse, no cancellation will occur 

tector similar to photodetector 84 to catch the beam 40 in the receiving half-interferometer, and communica- 

leaving at the bottom of beamsplitter 80 shown by tion node 17's probability of registering a count will be 

arrow 81. The symmetric version would need to use reduced only to half its expected value in the absence of 

more than two phase shift values, for example, the four the eavesdropper's intervention. Such a count will, of 

values 0^ 90% 180" and 270' to avoid an especially fatal course, be uncorrelated with communication node 12's 

version of the selective pulse suppression attach that 45 original shift and so is as likely as not to lead to a detect- 

would otherwise render the scheme insecure at any able error, which ultimately will alert a communication 

pulse intensity. nodes 12 and 17 to the fact that eavesdropping is taking 

A virtue of the present invention is that, since an place, 
eavesdropper can gain only partial information about In the operation of the present invention, undetected 
the quantum transmission, the legitimate users have the 50 inspection of key information in transit in quantum 
ability, through public channel communications and channel 18 is prevented by encoding each key bit in the 
mathematical transformations, to derive from the quan- phase of a very dim signal pulse of coherent light (less 
turn transmission a body of certifiable shared secret than 1 expected photon) relative to an accompanying 
information, or to conclude that the qxiantum transmis- reference light pulse. A train of such signal/reference 
sion has been so disturbed by noise and/or eavesdrop- 55 pulsed pairs is sent through quantum channel 18 of low 
ping that no secret information can be exchanged. They dispersion and low to moderate attenuation. Owing to 
will not, except with low probability, be fooled into the uncertainty principle by Heisenberg, and the fact 
thinking they have succeeded in sharing secret informa- that the dim signal pulses, because of their low intensity, 
tion when the information is either not shared or not represent non-orthogonal states, an eavesdropper can- 
secret. 60 not, in principle, gain complete information about the 

One attack, "selective pulse suppression'*, to which phase shifts by phase modulator 36 shown in FIG. 2. 
other quantum public key distribution schemes are sus- After the quantum transmission has been sent and 
ceptible, in principle is the splitting of some of commu- received, the sender and receiver exchange further 
nication node 12's coherent light pulses by an eaves- messages over message channel 22 called the "public 
dropper into two or more coherent subpulses, one of 65 channel" which may be of any physical form, for exam- 
which the eavesdropper would measure, attempting to pie, radio as well as optical fiber or copper wire. These 
detect a photon in it, while forwarding the other sub- messages, which need not be kept secret from the eaves- 
pulse (or a new pulse fabricated by the eavesdropper) to dropper, allow the legitimate sender and receiver to 
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assess the extend of disturbance of the quantum trans- 
mission by eavesdropping and noise sources such as the 
photomultiplicr dark current, and if the disturbance has 
not been too great, to distill from the sent and received 
versions of the quantum transmission, a smaller body of 
random key information which with high probability is 
known to the sender and receiver but to no one else. 

To prevent an impersonation atuck, the public chan- 
nel messages must be authenticated (to detect a change) 
or otherwise protected against alteration or substitu- 
tion, but they need not be kept secret. It should be em- 
phasized that no effort need be made to guard the quan- 
tum channel 18 against passive or active wiretapping, 
because even if an eavesdropper did tap into it, the 
eavesdropper could not gain significant information 
about the key without introducing so much disturbance 
as to be detected. 

When the invention is used with sufficiently low- 
noise and high-quantum efficiency photon detectors 
(noise power equivalent to less than 0.01 photons per 
resolving time), the invention can be used over optical 
channels of significantly greater attenuation, for exam- 
ple, greater than 20 db. 

While there has been described and illustrated a se- 
cure communication network and an apparatus for dis- 
tributing and receiving cryptographic key information, 
it will be apparent to those skilled in the art that modifi- 
cations and variations are possible without deviating 
from the broad scope of the invention which shall be 
limited solely by the scope of the claims appended 
hereto. 

Having thus described my invention, what I claim as 
new and desire to secure by Letters Patents is: 

1. A secure communication network for sending mes- 
sages unintelligible to an eavesdropper comprising: 

a plurality of communication nodes, each having a 
first, second and third port, 

a first quantum channel for conveying dim and refer- 
ence light pulses connected to said first port of said 40 
plurality of communication nodes, 

a second timing channel for conveying timing signals 
connected to said second port of said plurality of 
communication nodes, 

a third message channel for conveying information 45 
selected from the group consisting of plain text and 
encrypted text connected to said third port of said 
plurality of communication nodes, 

at least one of said communication nodes including 

first means for sending a plurality of dim light pulses 50 
of coherent light of an intensity less than 1 ex- 
pected photon per dim pulse spaced apart in time 
over said first quantum channel, 

second means for sending a plurality of reference 
light pulses of coherent light positioned in time 55 
with respect to said plurality of dim light pulses 
over said first quantum channel, 

a random number generator for generating random 
numbers, 

a phase modulator coupled to said first means and to 60 
said random number generator for setting the phase 
of said plurality of dim light pulses, said phase of 
each said dim light pulse chosen randomly from a 
plurality of predetermined values in response to 
said random numbers, 

third means for recording the phases of said plurality 
of dim light pulses sent over said first quantum 
channel, 
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fourth means for sending timing signals over said 
second timing channel, and 

fifth means for sending and receiving information 
over said third message channel, 

at least another one of said communication nodes 
including sixth means connected to said fu^t quan- 
tum channel for receiving and detecting at least 
some of said dim light pulses and their respective 
phase relative to the phase of respective ones of 
said plurality of reference pulses as a function of 
time, 

seventh means for recording the phases of said plural- 
ity of dim light pulses received over said quantum 
channel as a function of time, and 

eighth means for sending and receiving information 
over said third message channel. 

2. An apparatus for distributing cryptographic key 
information from a first communication node to a sec- 
ond communication node comprising: 

a first quantum channel for conveying dim and refer- 
ence light pulses connected to said first and second 
communication nodes, 

a second timing channel for conveying timing signals 
connected to said first and second communication 
nodes, said first communication node including 

first means for sending a plurality of dim light pulses 
of coherent light of an intensity less than 1 ex- 
pected photon per dim light pulse spaced apart in 
time over said first quantum channel, 

second means for sending a plurality of reference 
light pulses positioned in time with respect to said 
plurality of dim light pulses over said first quantum 
channel, 

a random number generator for generating random 
numbers, 

a phase modulator coupled to said first means and to 
said random number generator for setting the phase 
of said plurality of dim light pulses, said phase of 
each said dim light pulse chosen randomly from a 
plurality of predetermined values in response to 
said random numbers, 

third means for recording the phase of said dim light 
pulses as a function of time, and 

fourth means for generating and sending a plurality of 
timing signals over said second timing channel, 

said second communication node including fifth 
means connected to said first quantum channel for 
detecting at least some of said dim light pulses and 
their respective phase relative to respective ones of 
said plurality of reference pulses as a function of 
time, and 

sixth means for recording the phases of said plurality 
of dim light pulses as a function of time. 

3. An apparatus for generating cryptographic key 
information comprising: 

a light source for generating and sending a plurality 
of dim hght pulses of coherent hght of intensity of 
less than 1 expected photon per dim pulse spaced 
apart in time, 

a random number generator for generating random 
numbers, 

a phase modulator coupled to said light source and to 
said random number generator for setting the phase 
of each of said plurality of dim light pulses, said 
phase chosen randomly from a plurality of prede- 
termined values in response to said random num- 
bers, and 
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first means for recording the respective phases of said 
plurality of dim light pulses as a function of time. 

4. The apparatus of claim 3 wherein said light source 
includes means for generating and sending a plurality of 
reference light pulses positioned in time with respect to 
said plurality of dim light pulses. 

5. The apparatus of claim 3 further including a quan- 
tum channel coupled to said phase modulator for dis- 
tributing said plurality of dim light pulses. 

6. An apparatus for receiving a plurality of dim Hght 
pulses comprising: 

a first unsymmetric beamsplitter having a reflection/- 
transmission ratio R coupled to a source of said 
plurality of dim light pulses, 

first means for conveying said reflected plurality of 
dim light pulses a predetermined distance and to 
the reflection side of a second unsymmetric beam- 
splitter having a reflection/transmission ration R, 
and a detector positioned in the path of said re- 
flected plurality of dim pulses from said second 
unsymmetric beamsplitter, 

said first unsymmetric beamsplitter having a transmis- 
sion path therethrough, through a phase modulator 
and through said second unsymmetric beamsplitter 25 
in alignment with said reflected plurality of dim 
light pulses to said detector whereby destructive or 
constructive phase interference occurs, 

a random number generator, said phase modulator 
coupled to said random number generator for set- 
ting the phase of said plurality of dim hght pulses 
on said transmission path with said phase of each 
said dim light pulse chosen randomly from a plural- 
ity of predetermined values in response to said 
random numbers. 

7. The apparatus of claim 1 wherein said another one 
of said n communication nodes includes: 

a random number generator for generating random 
numbers, 

a phase modulator connected to said first port and to ^ 
said random number generator for setting the phase 
of said reference light pulse by a plurality of prede- 
termined values in response to said random num- 
bers, 

fifth means for attenuating said bright pulse, 
sixth means for time shifting said dim pulse with re- 
spect to said bright pulse, 
seventh means for combining said attenuated and 
phase modulated bright pulse with said time shifted 
dim pulse whereby constructive interference oc- 
curs to provide at least an expected one photon 
output or whereby destructive interference occurs 
to provide substantially no expected photon out- 
put, 

eighth means for detecting said photon output at 

times constructive interference occurs, 
ninth means for receiving timing signals over said 

second timing channel, and 
tenth means for sending and receiving information ^ 

over said third message channel. 

8. A method for sending messages unintelligible to an 
eavesdropper in a communication network having: 

a plurality of communication nodes, each having a 
first, second and third port, 

a first quantum channel for conveying dim and refer- 
ence light pulses connected to said first port of said 
plurality of communication nodes, 
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a second timing channel for conveying timing signals 
connected to said second port of said plurality of 
communication nodes, 

a third message channel for conveying information 
selected from the group consisting of plain text and 
encrypted text connected to said third port of said 
plurality of communication nodes, 

at least one of said communication nodes performing 
the steps of; 

sending a plurahty of dim light pulses of coherent 
light of an intensity l^s than 1 expected photon per 
dim pulse spaced apart in time over said first quan- 
tum channel, 

sending a plurality of reference light pulses of coher- 
ent light positioned in time with respect to said 
plurality of dim light pulses over said first quantum 
channel, 

setting the phase of said plurality of dim light pulses, 
said phase of each said dim hght pulse chosen ran- 
domly from a plurality of predetermined values in 
response to said random numbers, 

recording the phases of said plurality of dim light 
pulses sent over said first quantum channel, 

sending timing signals over said second timing chan- 
nel, and 

sending and receiving information over said third 
message channel, 

at least another one of said communication nodes 
performing the steps of receiving and detecting at 
least some of said dim light pulses and their respec- 
tive phase relative to the phase of respective ones 
of said plurality of reference pulses as a function of 
time, 

recording the phases of said plurality of dim hght 
pulses received over said quantum channel as a 
function of time, and 

sending and receiving information over said third 
message channel. 

9, A method for distributing cryptographic key infor- 
mation from a first communication node to a second 
communication node connected together by 

a first quantum channel for conveying dim and refer- 
ence light pulses connected to said first and second 
communication nodes, 

a second timing channel for conveying timing signals 
connected to said first and second communication 
nodes, said first communication node performing 
the steps of 

sending a plurahty of dim light pulses of coherent 
light of an intensity less than 1 expected photon per 
dim light pulse spaced apart in time over said first 
quantum channel, 

sending a plurality of reference light pulses posi- 
tioned in time with respect to said plurality of dim 
hght pulses over said first quantum channel, 

setting the phase of said plurality of dim hght pulses, 
said phase of each said dim light pulse chosen ran- 
domly from a plurality of predetermined values in 
response to said random numbers, 

recording the phase of said dim light pulses as a func- 
tion of time, and 

generating and sending a plurality of timing signals 
over said second timing channel, 

said second communication node performing the 
steps of detecting at least some of said dim light 
pulses and their respective phase relative to respec- 
tive ones of said plurahty of reference pulses as a 
function of time, and 
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recording the phases of said plurality of dim light 
pulses as a function of time. 

10. A method for generating cryptographic key infor- 
mation comprising the steps of: 

generating and sending a plurality of dim light pulses 
of coherent light of intensity of less than 1 expected 
photon per dim pulse spaced apart in time, 

setting the phase of each of said plurality of dim light 



pulses, said phase chosen randomly from a plurality 
of predetermined values in response to said random 
numbers, and 

recording the respective phases of said plurality of 
dim light pulses as a function of time. 
* • • • * 



15 



20 



25 



30 



35 



40 



45 



50 



55 



60 



65 



07/03/2004, EAST version: 1.4.1 



UNITED STATES PATENT AND TRADEMARK OFFICE 



CERTIFICATE OF CORRECTION 



PATENT NO. 

DATED 

INVENTOR(S) 



5, 307, mo 

April 26, 1994 
Charles H. Bennett 



It is certified that error appears in the above-identified patent and that said Letters Patent is hereby 
corrected as shown below: 



Column 3, line 35, after "of" insert —coherent—. 
Column 6, line 68, change "EG £ G." to —EG S G, Inc., 
Wellesley, Massachusetts. —• 

In The Claims: 

Column U, after line 17, insert —generating random numbers,—; 
Column 14, after line 55, Insert —generating random numbers, — . 

Column 15, after line 7, insert —generating random numbers, — . 



Signed and Sealed this 
Eighteenth Day of October, 1994 



Attest: 




BRUCE LEHMAN 



Attesting Officer 



Commissioner of Patents and Trademarks 



07/03/2004, EAST version: 1.4.1 



